SOLR-11623 for 9.x fixes in this space. This Jira is to apply sane permission default to /admin/zookeeper?path=/security.json and /api/cluster/zk/data/security.json so users will need "security-read" permission to see that data across the board. Users already need this permission to use the /api/cluster/security/authentication API.
NOTE that this was not a bug as such, but since these endpoints did not have an attached permission, they would remain unprotected, if the user did not define custom path-based permissions for the handlers, or alternatively applied an "all" permission at the end of the chain. This could be surprising to users, especially if they already included the predefined "zk-read" and "security-read" permissions in their chain, but they did not apply to these handlers.